Problems with Using SMS in your Password Reset Tool

Highly publicized problematic incidents with using SMS or text messages for two-factor authentication have recently surfaced.  PeoplePassword, Web Active Directory’s password management solution which is part of its PeoplePlatform suite,  allows you to go beyond SMS for two-factor or multi-factor authentication with its partnership with Twilio and Authy.

The Problem with SMS

In 2016, Wired Magazine published this article about why it’s important to stop using SMS messages for two-factor authentication.  Unfortunately, people may not be listening and in 2017 the problem is continuing with very serious results.  SMS has a lot of security problems.

SMS is still an optional factor of authentication in Web Active Directory’s password management solution, PeoplePassword.  A user can use this as one of the means to identify themselves to reset their password, change it, or unlock their account.  To bypass SMS and text-messaging without any PeoplePassword software configuration changes or customizations, users can also download and use Authy, an application that runs on iOS, Android, or Desktop operating systems.  It will work seamlessly with your user’s mobile devices.  Further, Authy has a lot of advantages over using Google Authenticator.

A More Secure Solution

We think Authy is a good choice.  Encrypted transmissions and codes that only last for twenty seconds replace insecure SMS.  With a lost or stolen device, it’s a superior choice over Google Authenticator.  Another mobile device, a PC, or a MAC, for example, can be used to de-authorize a stolen device.  (Google Authenticator can’t do that.)  Authy offers optional encrypted cloud token backup.  Use Authy anywhere you might use Google Authenticator.  Think two-factor authentication for Facebook, Twitter, where you have to scan a QR code, etc. Google Authenticator also isn’t available on desktop (non-mobile) devices.

When considering two-factor or multi-factor authentication in a Self-Service Password Reset (SSPR) solution, consider a solution such as Web Active Directory’s PeoplePassword that allows you to use more secure means for users to identify themselves using their mobile devices.